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Abstract (Summary) 

After a series of break-ins to a large university computer, I was asked 
to look at protection mechanisms for e-mail being sent through the 
system. While the usual approach for protecting such data is 
encryption, I was surprised to learn that few of the administrators 
knew very much about the subject. Public-private key encryption - 
which bypasses the problem of having to send the password to the 
recipient - was a virtually unknown topic among the people I dealt 
with. Assuming that readers, too, may be unfamiliar with this 
technology, here's a quick look at the use of digital signatures and 
public-private key encryption. Standard encryption uses a password 
to convert a readable file to one filled with seemingly random bytes, 
making it unreadable until the same password is used to convert the 
file back to readable format. To decrypt the file, you need the encrypting 
password, which must somehow be sent to the file's recipient. That leaves the 
password open to interception, and the file can then be decrypted. Public key 
encryption relies on two passwords for each user: the private key, which is kept 
secret by the user; and, the public key, which is made available to anyone who 
wants it (such as through a Web pagej.When I want to send a file to someone, 
I get their public key and use it to encrypt the file. The file can then he sent 
through unsecure channels to the recipient, who uses a private key to decrypt 
the message. 
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Copyright Rogers Publishing Limited Aug 6, 1997 

After a series of break-ins to a large university computer, I was asked to look 
at protection mechanisms for e-mail being sent through the system. While the 
usual approach for protecting such data is encryption, I was surprised to learn 
that few of the administrators knew very much about the subject. Public- 
private key encryption - which bypasses the problem of having to send the 
password to the recipient - was a virtually unknown topic among the people I 
dealt with. Assuming that readers, too, may be unfamiliar with this technology, 
here's a quick look at the use of digital signatures and public-private key 
encryption. Standard encryption uses a password to convert a readable file to 
one filled with seemingly random bytes, making it unreadable until the same 
password is used to convert the file back to readable format. To decrypt the 
file, you need the encrypting password, which must somehow be sent to the 
file's recipient. That leaves the password open to interception, and the file can 
then be decrypted. Public key encryption relies on two passwords for each 
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user: the private key, which is kept secret by the user; and, the public key, 
which is made available to anyone who wants it (such as through a Web 
page).When I want to send a file to someone, I get their public key and use it 
to encrypt the file. The file can then he sent through unsecure channels to the 
recipient, who uses a private key to decrypt the message. Obviously, there is a 
relationship between each user's public and private key, but it's a complex 
mathematical formula that guarantees that only the owner of the private key 
can decrypt files. If someone was able to intercept the encrypted file I sent, 
and they had the recipient's public key, they wouldn't be able to decrypt the 
file. Only the private key can decrypt a file. This may sound rather complex, 
but it's not. There are many public key systems on the market, some 
commercial and some readily available to anyone, such as Pretty Good 
Privacy (PGP), which is free. To use the public key software, you provide a 
password to a utility that generates a public key "signature," which you can 
attach to your e-mail messages. Anyone who receives your public key can use 
it to encrypt messages specifically for you. When an encrypted message 
arrives, you supply your password or the location of the private key, and the 
message is decrypted. The entire process can be reduced to a drag-and-drop 
operation on most systems, so user overhead is minimal. How secure is public 
key technology? So far it has proven to be excellent. Although it's possible to 
break the encryption method, it requires computer horsepower far beyond 
what most of us have access to. It's so good, in fact, that the U.S. government 
tried to restrict the author of PGP from distributing his software, arguing it 
made it difficult for government agencies to monitor the population. An 
additional benefit to public key systems is the use of digital signatures. This is 
another key used to "sign" something that you're sending out. When the 
recipient gets the file, their utilities can verify that it was indeed you who sent 
the file. Digital signatures are a sure-fire method of ensuring that you know 
who is sending you material, and proving that files came from you. Finally, a 
quick update on one of my earlier Java columns. As most readers know, 
© Sun Microsystems , which owns and licenses Java, has been pushing Java 
since it was developed two years ago. To try and keep the development 
language in the forefront, it has announced a few new Java developments. 
First, Sun has launched the Personal Java Application Programming Interface 
(API), which is aimed at devices such as the network computer and TV-based 
Web systems. The Personal Java API is intended to allow manufacturers to 
use Java for a variety of purposes, but so far only WebTV Networks has 
signed up. ©Sun's new Embedded Java API is a similar programming tool 
designed to run on low-horsepower CPUs such as those in telephones and fax 
machines. A number of companies are signing up for this API, but no products 
incorporating Java have been announced yet. ©Sun has also announced the 
Java Card standard, which is designed to provide Java-based "smart cards," 
such as pre-paid bank debit cards and telephone cards. Although the two 
largest manufacturers of smart cards - Gem-plus and © Schlumberger - are 
Java licencees, there's no word on what's going to happen with the Java Card 
standard. Still, it's nice to see © Sun pushing Java and trying to make it more 
widely available. I just wonder when all this wonderful Java-based wizardry 
we've been hearing about for two years is going to come to fruition. 
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